Download Power Supply Signal Calibration Techniques for

Power Supply Signal Calibration Techniques for Improving Detection
Resolution to Hardware Trojans
Reza M. Rad, Xiaoxiao Wang+, Mohammad Tehranipoor+, Jim Plusquellic*
Department of CSEE, Univ. of Maryland, Baltimore Campus
+Department of Electrical and Computer Engineering, Univ. of Connecticut
*Department of Electrical and Computer Engineering, Univ. of New Mexico
Abstract
Chip design and fabrication is becoming increasingly vulnerable
to malicious activities and alternations with globalization. An
adversary can introduce a Trojan designed to disable and/or
destroy a system at some future time (Time Bomb) or the Trojan
may serve to leak confidential information covertly to the adversary. This paper proposes a taxonomy for Trojan classification
and then describes a statistical approach for detecting hardware
Trojans that is based on the analysis of an ICs power supply transient signals. A key component to improving the resolution of
power analysis techniques to Trojans is calibrating for process
and test environment (PE) variations. The main focus of this
research is on the evaluation of four signal calibration techniques, each designed to reduce the adverse impact of PE variations on our statistical Trojan detection method.
1 Introduction
A drawback to the globalization of the chip industry is the
increased susceptibility of chip design and fabrication to malicious alternations [1][2]. This new threat involves actions taken
by an adversary to deliberately modify a chip’s design to include a
hardware Trojan. The Trojan may be designed to cause the chip to
fail at some critical time while operating in mission mode or it
may serve to leak confidential information covertly to the adversary. Many types of hardware systems are threatened including
those responsible for the security of personal information, and
those that implement and support financial infrastructures, military systems and even household appliances. Trojans are cleverly
hidden by the adversary to make it extremely difficult for chip validation processes, such as manufacturing test, to accidentally discover them. Many proposed Trojan detection techniques,
particularly logic-based testing techniques that target Trojan activation via statistical analysis of unlikely circuit states, will not be
effective against even the simplest Trojan hiding techniques.
Most hardware-based security techniques modify hardware
to prevent attacks and to protect IPs or secret keys. However, the
types of attacks addressed in this paper are fundamentally different. Here the attacker is assumed to maliciously alter the design
before or during fabrication. Unfortunately, detection of such
alterations is extremely difficult for several reasons. First, physical inspection through destructive reverse engineering is becoming increasingly difficult and costly in nanometer technologies.
Second, purposeful activation and discovery of Trojan circuits
through application of random or ATPG generated patterns is easily defeated by an adversary. Third, the adversary can configure
the Trojan to have a minimal impact on the chip’s nominal transient and quiescent leakage current. Therefore, conventional testing methods that measure global, chip-wide, behavior of the
power supply current, e.g., IDDQ, are ineffective because of very
small Trojan-current-to-background-current ratios that are present
in multi-million transistor chips.
Given these characteristics, we believe the most effective
approach for detecting Trojans is to analyze the parametric properties, e.g., power and delay, across multiple regions of the chip.
In particular, we propose a region-based transient power signal
analysis method to reduce the impact of increasing levels of pro-
cess variations and leakage currents. A region is defined as a portion of the layout that receives the majority of its power from a set
of surrounding power ports or C4 bumps. In previous work, we
showed that regional analysis significantly increases the resolution of power analysis methods to Trojans [3]. However, by itself,
it is not sufficient for dealing with the adverse effects of process
and test environment (PE) variations on detection resolution. To
fully leverage the resolution enhancements available in a regionbased approach, such methods must be combined with signal calibration techniques, that are designed to attenuate and remove PE
signal variation effects.
In this paper, we propose four signal calibration strategies,
one based on quiescent signals (DC) and three based on transient
signals (AC), and evaluate them using simulations of a design
with inserted Trojans. The improvements to Trojan detection resolution provided by each signal calibration method are determined using a prediction ellipse statistical approach and an
analysis of outlier residuals. Our simulation results indicate that
1) all signal calibration methods significantly improve Trojan
detection resolution of region-based power signal analysis methods when compared with no signal calibration, 2) the AC techniques outperform the DC method and 3) there is no significant
difference among the three AC alternatives. The last finding is
significant because it indicates that a simple sample-based AC
calibration method can be used over the more complex waveform
sampling techniques.
The remainder of this paper is organized as follows. Related
work is described in Section 2 and a Trojan classification scheme
is presented in Section 3. The simulated design, inserted Trojans
and statistical analysis method are described in 4. Section 5
describes the signal calibration methods and Section 6 presents
the simulation results. Section 7 gives our conclusions.
2 Background
Security is a major concern in the design and test of chips,
particularly in areas that involve protecting secret keys and IPs.
The malicious insertion of hardware Trojans in ICs is a new security concern that must now be addressed in combination with conventional security risks. The following summarizes the published
work on this topic.
The authors of [4] were the first to address the hardware Trojan issue. They propose the use of side-channel signals, e.g., transient power supply currents, to identify Trojans in chips. The
main deficiencies of their technique include the measurement of
global signals and the use of signal processing techniques to deal
with process variation effects. Also, test environment variations
are not modeled or addressed in their work and, unfortunately, are
significant detractors for transient signal analysis methods.
The authors of [5] propose an method that first determines a
set of target ‘hard-to-observe’ sites for a Trojan with q inputs and
then uses ATPG to generate patterns to activate the Trojan.
Although this may be an effective strategy for Trojans with a
small number of inputs, analysis complexity and test set size will
make this type of approach impractical for larger Trojans.
A Trojan detection method that measures the combinational
delay of a large number of register-to-register paths internal to the
Trojan taxonomy
Physical
characteristics
Activation
characteristics
Always
on
Distribution
Type
Functional Parametric
Tight
Loose
Size
Small
Transistor/wire
Action
characteristics
Condition
based
Logic
based
Sensor
based
Temp. Volt.
Large
Gate/Macro
Modify
function
Add
Bypass
Modify
spec.
Ext.
Internal
state
Input
Data
Instruction
Cnter/Clk Defects Reliability
Interrupt
Figure 1. Taxonomy of Trojans
functional portion of the IC is proposed in [6]. This approach
assumes the attacker is not able to leverage existing ‘white space’
to insert the Trojan, or use design techniques that avoid adding to
path delays. Moreover, the method requires precise characterization of silicon path delays at design time, which is becoming
increasingly difficult because of process variation effects.
In [7], the authors propose a region-based stimulation strategy and analyze the global power consumption to detect Trojans.
However, their method does not account for PE variations. In [8],
the authors introduce special circuitry that enables the direct control of the least controllable nodes in the circuit as a means of triggering the activation of a Trojan. As indicated earlier, methods
that target direct activation are practical only for small Trojans. In
[9], the authors build a path delay fingerprint of Trojan-free chips
by running high coverage input patterns. The number of vectors
needed for large designs to achieve adequate Trojan coverage is
likely to make this approach impractical.
In previous work, we proposed several region-based IDDQ
and IDDT test methods for detecting manufacturing defects and
showed that techniques for calibrating PE variations are critical to
providing adequate detection resolution [10][11]. The same concern holds true for Trojan detection. In this paper, we compare the
previously described DC calibration technique with several new
AC calibration techniques and demonstrate the latter are more
effective at reducing the adverse effects of PE variations on Trojan detection sensitivity.
3 Taxonomy
Our proposed taxonomy describes Trojans using five
attributes, including three physical, one activation and one action
attribute as shown Figure 11. Trojan physical characteristics refer
to the actual layout implementation details of the Trojan. The activation category describes the strategies an adversary may use to
trigger the Trojan to carry out its malicious act. The action category describes the types of changes the Trojan may introduce to
the IC.
3.1 Trojan Physical Characteristics
The type sub-category under physical characteristics partitions Trojans into two fundamentally different classes, functional
and parametric. The functional class includes Trojans that are
physically realized through the addition or deletion of transistors
or gates, while parametric refers to Trojans that are realized
1. Reference [12] elaborates on this taxonomy scheme.
through modifications of existing wires and logic. The thinning of
a wire, the weakening of a transistor or any modification of a
physical geometry designed to sabotage reliability or increase the
likelihood of a functional or performance failure are examples of
the latter. The size category accounts for the number of components in the chip that have been added, deleted or compromised
while the distribution category describes the location of the Trojan in the physical layout of the chip. For example, a tight distribution describes a Trojan whose components are topologically
close in the layout while a loose distribution describes Trojans
that are dispersed across the layout of the chip.
3.2 Trojan Activation Characteristics
Activation characteristics refer to the criteria that causes the
Trojan to become active and carry out its disruptive function. We
partition Trojan activation characteristics into two subclasses,
labeled Always-on and Condition-based as shown in Figure 1.
Always-on, as the name implies, indicates that the Trojan is
always active and can disrupt the function of the chip at any time.
This class covers Trojans that are implemented by modifying the
geometries of the chip such that certain nodes or paths in the chip
have a higher susceptibility to failure. We referred to these types
of Trojans as ‘parametric’ in the type subclass of the physical
characteristics class.
The Condition-based subclass includes Trojans that are
‘inactive’ until a specific condition is met. The activation condition can be based on the output of a sensor that monitors temperature, voltage or any type of external environmental condition, e.g.,
electro-magnetic interference (EMI), humidity, altitude, etc. Or it
can be based on an internal logic state, a particular input pattern or
an internal counter value. The Trojan in these cases is implemented by adding logic gates and/or flip-flops to the chip, and
therefore is represented as a combinational or sequential circuit.
3.3 Trojan Action Characteristics
Action characteristics identify the types of disruptive behavior introduced by the Trojan. The classification scheme shown in
Figure 1 partitions Trojan actions into two categories; Modifyfunction and Modify-specification. As the name implies, the Modify-function class refers to Trojans that change the chip’s function
through additional logic or by removing or bypassing existing
logic. The Modify-specification class refers to Trojans that focus
their attack on changing the chip’s parametric properties, such as
delay. The latter class represents parametric Trojans that modify
wire and transistor geometries.
A
B
31
Wire in original
design Inserted gate
To
Trojan
detonator
activation
wire
Trojan gates and wires
0
Wire in
original
design
Inserted gate
To
detonator
Trojan
activation
32-input wire
32-bit register
32-bit register
31
(a)
0
NAND gate
Trojan transistors,
gates and wires
(b)
Figure 2. Multi-stage logic implementation of a Trojan comparator (a) Monolithic logic gate implementation of a Trojan
comparator (b)
4 Simulated Design and Trojan Detection Method
Based on the proposed Taxonomy, it is clear that the diversity of Trojans is immense and therefore, the most effective strategy for detecting them may vary depending on the specific
characteristics of the Trojan. This paper does not attempt to evaluate the overall effectiveness of region-based transient power signal analysis methods across the proposed Trojan taxonomy (this is
left for future work), but rather is focused on determining the
most effective method(s) of calibrating transient signals for PE
variation effects. The results presented are therefore of benefit to
any type of Trojan detection scheme and are independent of Trojan type. However, in order to provide a meaningful context for
evaluating the signal calibration methods, a core logic design and
several specific Trojan implementations are selected, as described
in the following subsections.
4.1 Trojan Design
Given the clandestine nature of Trojans, we assume an intelligent and determined adversary will make it nearly impossible to
activate the Trojan accidentally or purposefully through functional, structural, and random test patterns during manufacturing
test. For functional, condition-based Trojans, the adversary will
work diligently to control activation to a time of his or her choosing.
The Trojan implementation shown in Figure 2(a) meets this
criteria for a hypothetical military application. The Trojan in this
scenario is embedded in a chip that serves as the controller for a
missile system. The chip receives encrypted data from a groundbased station through an RF channel and stores the data in a register (shown on the left side of Figure 2(a)). By design, the data is
decrypted and checked for validity by core logic components in
the chip (not shown).
The gates shown to the right of the register in the figure represent the Trojan. The inputs to the Trojan connect to the register
and monitor its state. Since the register holds un-encrypted data,
the adversary can control, through his own data transmission
tower, the activation of the Trojan at a time of his choosing by
transmitting a specific bit pattern to the register. One possible
action carried out once the Trojan is activated might be to cause
the missile to detonate prior to reaching its target.
The additional circuitry added by the adversary to implement
the Trojan necessarily includes some type of comparator to decide
when the trigger bit pattern is present. In order to prevent accidental discovery of the Trojan, during, for example, manufacturing
test, the comparator must monitor a sufficiently large number of
bits and assert its output only on one or a very small number of
possible combinations of those bits. For this discussion, assume
the values in a 32-bit register serve as input to the Trojan and the
comparator asserts on only one set of values. This is sufficient to
make it unlikely that the Trojan will be accidentally activated dur-
ing logic testing, e.g., one chance in 232. However, actively monitoring the values in a 32-bit register consumes power, and opens
up the possibility that the Trojan may be detected by monitoring
the power supply current during testing. Therefore, a secondary
issue for the adversary is to minimize the impact of the comparator on the power consumption profile of the chip.
There are many possible ways to implement the comparator.
The implementation shown in Figure 2(a) is a multi-stage logic
gate with one minterm, i.e., it asserts its output under only one
permutation of its inputs. The drawback to this scheme, with
regard to power consumption, is the high probability that partial
activation of the Trojan will occur during testing. Partial activation is defined when one or more of the NORs and NANDs gate
outputs switch in response to changing data patterns in the register. This occurs because each gate monitors only a subset of the
register values. The partial activation of the Trojan increases
power consumption and makes it possible to detect it. A second
scheme is to instead implement the monitor as a monolithic gate,
as shown in Figure 2(b). In this case, a 32-bit NAND gate, shown
at the transistor level, is used to determine when the target bit pattern is present. Partial activation occurs in this implementation as
well by virtue of the inserted inverters and the potential for charging and discharging of the internal parasitic capacitances in the
long chain of series n-channel devices.
There are in fact many other implementations possible for
the comparator. The main point of this analysis, however, is to
demonstrate that Trojans will always have some level of impact
on the power profile of the chip. Even if stealthy layout strategies
are used that reduce the probability of partial activation, capacitive loading to the wires being monitored will always be present.
This is a very important concept because it suggests that it is possible to detect the Trojan without activating it. The challenge is to
develop a detection technique that maximizes the sensitivity to
potentially small changes in the power profile of a chip with an
embedded Trojan. The main detractor to achieving high levels of
resolution are process and environmental (PE) variations.
4.2 Simulation Models and Detection Algorithm
We propose a power supply transient analysis (IDDT) technique for detecting Trojans that is robust to the adverse effects of
PE variations. The method analyzes local, i.e., within-chip, IDDT
measurements obtained from the multiple, individual power ports
(PPs) on the chip. The method is described following the description of the design and model used in the simulation experiments.
4.2.1 Simulation Model
A block diagram of the IC design used in the simulation
experiments is shown in Figure 3. The design includes a six metal
layer power grid with nine power ports, labeled PP0 through PP9.
The core logic consists of four copies of the ISCAS‘85 C499
Membrane probe and its
Tester Power Supply DIB, Probe Card (PCB) contact resistance
PP2
PPP12
PP1
PP5
C499
Copy 2
PP8
PP4
Decoupling
Probe card
Stages
Power Supply
C499
Copy 4
1mΩ 4nH 30mΩ
94nH
PP7
PP0
C499
Copy 1
PP3
C499
Copy 3
PPP03
V
2.5V
PP6
1st
stage
250pH
6600uF
PPP36
Figure 3. Architecture of Simulation Model
benchmark circuit [13]. The design is subsequently referred to as
the Quad Core.
The Trojan simulation models are created in two different
ways for each of the two Trojans shown in Figure 2(a) and (b).
For 2(a), the Trojan is added to the netlist of one copy of the C499
(lower left copy) and CADENCE FIRST ENCOUNTER is used
to synthesize the layout. The re-synthesis of the layout with the
Trojan gates (shown in Figure 2(a)) introduce significant changes
in the placement and routing of the core components of the C499.
In contrast, the components of the Trojan shown in Figure 2(b) are
added to an empty rectangle that is first introduced in the Trojanfree version of the C499 and the inputs to the Trojan are routed
manually to a set of nodes along paths in the C499. Therefore, the
differences in the Trojan-inserted and Trojan-free layouts for Trojan 2(b) are small. As shown in the simulation results, these two
different implementation strategies make it possible to detect Trojan 2(a) more easily than Trojan 2(b).
PE variations are modeled in two ways. First, twenty unique
RC-transistor models of the design are created by configuring
DIVA with different sets of TSMC 0.18 um process parameters
[14]. The two Trojan-free versions of the layout described above
are extracted under each of these process models (PMs) while the
two Trojan-inserted versions are extracted under only the first ten
PMs. Second, probe card impedance variations are introduced in
the off-chip components of the power distribution system. Figure
4 shows a schematic of the power distribution system which
includes components representing the power supply (left), decoupling networks and probe card parasitics (middle) and membrane
probe card contact parasitics (right) [15]. One copy of the probe
card and C4 parasitics are included for each of the nine power
ports of the core logic. A dashed circle encloses the resistance and
inductance components that are varied in each of the simulation
models. The inductor values are varied over 2-20 pH while the
resistance values are varied over 0-800 mΩ. The same procedure
was used to create twenty Trojan-free simulation models.
Three two-pattern test sequences are used to drive the inputs
of the lower left copy of the C499. The inputs to the other copies
are held at steady-state. Each of the test sequences sensitizes paths
along which some of the Trojan inputs are connected. None of the
test sequences cause full activation of either Trojan. However,
each sequence introduces different levels of partial activation.
4.2.2 Trojan Detection Algorithm
The IDDT detection algorithm is based on a statistical analysis of the IDDT waveform areas generated at the nine power ports
as a test sequence is simulated on the Quad Core. For each orthogonal pairing of power ports (see Figure 3), a scatterplot is constructed using the areas produced from simulations of the twenty
5pH
112pH
4pH
25pH
PWR
and GND
C4s
2nd
stage
GND C4 model
8Ω
250mΩ
25pH
4pH
2mΩ 31pH
16.4uF
Figure 4. Probe card model used in the simulation experiments
Trojan-free
process models
PP0 IDDT areas
PPP01
1mΩ
8Ω
250mΩ
2mΩ
2mΩ
VDD C4 model
Prediction
ellipse
residual
Trojan-inserted
process models
PP1 IDDT areas
Figure 5. Example scatterplot for PPP01 of Figure 3 for one
of the experiments.
Trojan-free and ten Trojan-inserted PMs. As an example, the scatterplot shown in Figure 5 is created using the areas measured
from adjacent power ports PP0 and PP1 for an experiment using
Trojan 2(b). A prediction ellipse is derived using the first fifteen
data points from the twenty Trojan-free PM simulations (the last
five Trojan-free PMs are used as control samples.)1 The dispersion in the Trojan-free data points is a result of un-calibrated PE
variations.
Also shown are the data points from the ten Trojan-inserted
PMs. For this experiment, the Trojan introduces sufficient
regional variation to cause all data point to fall outside the bounds
of the prediction ellipse and to be identified as outliers. The residual is labeled for one of the data points in the figure. In our experiments, it is defined as the distance between the data point and the
elliptical bound expressed as a standardized quantity. For example, a standardized residual of three indicates the data point is
three standard deviations from the elliptical bound.
From the architecture shown in Figure 3, it is possible to
construct twelve scatterplots from adjacent power port pairings
(PPPs). Several are labeled in the figure as PPP01, PPP12, PPP03
and PPP36. For each Trojan-inserted PM, we report the largest
standardized residual among the data points that are outliers as a
measure of the effectiveness of the signal calibration technique
under investigation.
1. The elliptical bound is computed from the eigen values of the covariance matrix and a three σ Χ2 (chisquare) distribution statistic.
PP0-IDDT
PP6-IDDT
Current (mAs)
Current (mAs)
PP1-IDDT
NC
path areas
Time (ns)
scatterplot
analysis
path wfms
DC
calibration values
AS
5 ns
path wfms
AW
Time (ns)
IDDQs
Fig. 6. Calibration circuit step responses (left) and their
integrated derivatives (right).
1. The derivative of the step response is the impulse
response or IR.
path
areas
IR areas
matrix transformation
5 Signal Calibration Techniques
Calibration is used to deal with process variations that occur
in the chip’s core logic, power grid and off-chip connections to the
power ports. It is carried out on each chip using special calibration
circuits connected through a scan chain and inserted directly
below each of the power ports. The calibration circuits are
designed to generate a simple stimulus to the power grid. For
IDDT signal analysis, the stimulus is a step current, that is created
by enabling a transistor connected between the power grid and
ground grid in metal 1.
The left side of Figure 6 gives the simulated step response
current waveforms for a calibration test performed using a calibration circuit under PP0 in Figure 3. The waveforms produced at
each of the nine power ports are shown at positions that correspond to the layout positions of the power ports (a few are labeled
in the figure). As expected, the largest IDDT corresponds to PP0.
This is true because the power grid resistance is smallest between
the calibration circuit and this power port. Although not shown,
eight other calibration tests are performed for each of the remaining power ports, with each test producing a set of nine waveforms
as shown for PP0. In total, eighty-one waveforms are produced
from the nine calibration tests.
In this paper, we investigate four signal calibration techniques, called DC for IDDQ-based, AS for AC-sample-based (first
proposed in [17]), AA for AC-area-based and AW for AC-waveform-based, and compare their effectiveness on reducing the
adverse effects of PE variations against a fifth technique called
NC, i.e., no signal calibration. All methods (except NC) make use
of the calibration test data to define a transformation matrix. The
methods differ in the use of the information available in the calibration response waveforms, as depicted in Figure 7. For DC calibration, the steady-state (IDDQ) value of the step response is used.
For AS, the value of the step response at 5 ns is used. For AA, the
area under the derivative of the step response waveform is used1.
For AW, the entire step response waveform is used.
Since DC calibration uses IDDQs, it is capable of calibrating
for only resistance variations in the CUT and test environment.
Therefore, the AC techniques are expected to outperform DC in
cases where inductance and capacitance variations are present.
This holds true in our experiments because the series inductance
in the C4 membrane probe card and the capacitance of the power
grids are different in each of the PMs. Among the three AC methods, AS is the simplest because it requires the measurement of
only a single sample from the calibration response waveforms.
This is similar to the DC technique except that the sample is collected immediately following the introduction of the step input.
wfm
samples
calibrated
path areas
scatterplot
analysis
AW
calibration
wfms DFT
calibration values
path
DFT
wfms
path values
matrix
trans.
iDFT
calibrated
path areas
Fig. 7. Signal Calibration Processes
The AA technique requires the area under the derivative of the
step response or IR waveform to be measured. The measurement
instrumentation needed for this technique is more complex and is
less attractive for this reason. The AW method requires complete
sampling of the step response waveforms and is clearly the most
expensive in terms of instrumentation.
The calibration process can be generalized as follows. The
data from the calibration tests define a matrix CM, as given by
Equation 1, where the rows correspond to the calibration tests and
the columns correspond to the power ports. Here, PPDxy indicates
PPD 08
PPD 00 PPD 01
cal. test 0
----------------- ----------------- ... ----------------GD 0
GD 0 GD 0
PPD 18
PPD 10 PPD 11
cal. test 1
----------------- ----------------- ... ----------------CM = GD
GD 1
1 GD 1
Eq.1.
...
...
... ... ...
PPD 88
PPD 80 PPD 81
cal. test 8
----------------- ----------------- ... ----------------GD 8
GD 8 GD 8
power port data for calibration test x measured at power port y.
The normalization factor given as the denominator, GAx, is the
sum of individual values along each row x. A transformation
matrix, X, is computed from CM by taking its inverse, as given by
Equation 2, where the elements of CM, i.e., PPD00/GA0, are represented as a00 in CM-1.
X
=
x 00 x 01 ... x 08
a 00
x 10 x 11 ... x 18
a
= 10
... ... ... ...
...
x 80 x 81 ... x 88
a 81
CM--1
a 01 ... a 08
a 11 ... a 18
... ... ...
a 82 ... a 88
–1
Eq.2.
The transformation matrix is computed for each test chip
from the calibration data. Once computed, it is subsequently used
to calibrate the path data measured under core logic tests, as given
by Equation 3. The vector given by t0 through t8 corresponds to
Cn
=
Tn
*
6 Simulation Results
X
x 00 x 01 ... x 08
x x ... x 18
c1
= t 0 t 1 ... t 8 × 10 11
... ... ... ...
...
c8
x 80 x 81 ... x 88
and un-normalized path data and 2) by calibrating the path data to
IDENTITY and to t22t, under each of the four calibration methods and three test sequences. This process is repeated for Trojan
2(a) and 2(b).
c0
Eq.3.
the nine data values (areas or waveforms) from the core logic
tests. The calibrated data is given by the column vector on the left,
i.e., c0 through c8.
The calibrated path data given by Cn in Equation 3 can be
used directly in the prediction ellipse method. We refer to this
analysis as ‘un-normalized’ in Section 6. The path data can also
be normalized using a process identical to that described for the
calibration data, i.e., the elements of the vector Cn are each
divided by the sum computed across all elements. We refer to this
analysis as ‘normalized’.
From Figure 7, the calibration data used in Equation 1 corresponds to single floating point numbers for the DC, AS and AA
methods, i.e., current samples for DC and AS and areas for AA.
The calibration data for AW is an entire waveform and requires
special treatment as shown along the bottom of Figure 7. In this
case, a discrete Fourier transform (DFT) is applied to the IR
waveforms to convert them into the real and imaginary components appropriate for the matrix inverse operation. The matrix
inverse is then computed for each set of frequency components
separately. In our experiments, the frequency domain representation contains 1024 real and imaginary components, so 1024 9-by9 CM matrices are constructed and inverted. Normalization is performed by dividing all frequency components by the DC components. The path waveforms are treated in a similar fashion. Once
calibrated, an inverse DFT is performed on the calibrated path real
and imaginary components and the area under the path waveforms
are used in the prediction ellipse method.
One other variant of the calibration process is investigated in
this paper. The transformation matrix X given by Equation 2 is
defined as the matrix inverse of CM. It is also possible to calibrate
to a specific probe card and process model by multiplying the
CM-1 obtained for any given process model by the CM of the target process model using Equation 2, i.e., X = CM-1(PMa) X
CM(PMb) to calibrate PMa to PMb. The target process model in
our experiments is the model identified as t22t on [14]. The two
approaches are referred to as ‘calibrate to IDENTITY’ and ‘calibrate to t22t’.
The process followed in our experiments is as follows. A set
of thirty simulation models are created for the Quad Core, twenty
for the Trojan-free design and ten for Trojan-inserted designs. The
calibration tests are carried out on each model and the transformation matrix computed. Three core logic test sequences are applied
and the IDDT areas or waveforms are calibrated using the transformation matrix. Twelve scatterplots are created from the calibrated
data and the prediction ellipses are computed using fifteen data
points from the Trojan-free PMs. The largest residuals for the five
remaining Trojan-free PMs and ten Trojan-inserted PMs are computed using the data points that fall outside the elliptical bounds
across the twelve scatterplots. The scatterplot analysis is carried
out separately using uncalibrated data and using 1) normalized
The results of the simulation experiments are displayed in a
set of 3-D bar graphs for Trojan 2(a) in Figures 8 and 9 and for
Trojan 2(b) in Figure 10. The x-axis of the bar graphs gives the
control PMs, C1 through C5, and the ten Trojan-inserted PMs, T1
through T10. The y-axis gives the results for the no signal calibration case in front of the results for the DC, AS, AA and AW calibration cases. The z-axis gives the maximum standardized
residuals, i.e., the largest distance among the data points across
the twelve scatterplots that fall outside the three sigma limits for
each process model. A value of zero indicates that all data points
fell within the limits.
The bar graphs of Figure 8 show two results, one for un-normalized data (top) and one for normalized data (bottom). Both bar
graphs give results for Trojan 2(a) under the 2nd test sequence
with the path data calibrated to t22t. The results in Figure 9 are
similar except they are derived from data calibrated to IDENTITY. The results for the 1st and 3rd test sequences in both cases
show similar trends and are therefore not shown.
From these results, it is clear that the ‘no calibration’ technique performs poorly in all cases. For the un-normalized bar
graphs, outliers are present in only five of the ten Trojan-inserted
process models and all maximum residuals are less than 0.7. In
the normalized bar graphs, no outliers are generated so that Trojan
is not detected. As described in Section 4.1, the signal variations
introduced by Trojan 2(a) are fairly large because of the way it is
implemented. This result demonstrates that signal calibration is an
important component for achieving a reasonable level of sensitivity to Trojans using transient power supply detection methods.
From the bars corresponding to the calibration techniques, it
is clear that each is are able to easily identify the presence of this
Trojan. The maximum residuals range from 15 to nearly 60 standard deviations. The failure of the DC calibration method to
account for inductance and capacitance variations reduces its sensitivity to Trojans. This is more noticeable in the bottom (normalized) bar graphs where the maximum residuals for DC are
noticeable smaller than those for any of the AC techniques. Interestingly, the AC techniques are nearly equivalent in terms of their
detection resolution. This is significant because it suggests that
the simpler AS technique can be used in place of more complex
techniques such as AW which perform full waveform calibration.
The last notable observation concerning these results is the
difference in the magnitudes of the maximum residuals of un-normalized and normalized techniques. The normalized technique
marginally outperforms the un-normalized technique for this Trojan. There does not appear to be any advantage to calibrating to
IDENTITY or t22t.
The bar graph of Figure 10 gives the results across all paths
for Trojan 2(b) using the normalized and ‘calibrate to t22t’ methods. The format is identical to that used in Figures 8 and 9 except
for the concatenation of the individual path results along the xaxis. The results for the un-normalized and ‘calibrate to IDENTITY’ methods show no distinguishable advantage for Trojan
2(b), and consequently are not shown.
The smaller range of values along the z-axis reflects the
much smaller signal anomaly introduced by this Trojan, as predicted in the discussion concerning its implementation in Section
4.1. It is also clear that the level of sensitivity to Trojans strongly
depends on the test sequence. The maximum residuals of the 2nd
test sequence are a factor of nearly three smaller than those under
test sequences 1 and 3. Another notable feature is that one of the
10
AW
AA
AS
DC
NC
5
0
Maximum Residuals
Control PMs
Trojan PMs
AW
AA
AS
DC
NC
Trojan PMs
Control PMs
AW
AA
AS
DC
NC
40
35
30
25
20
15
10
5
0
Trojan PMs
Control PMs
Figure 8. Maximum residuals for Trojan 1, path 2,
calibrated to t22t, un-normalized (top), normalized
(bottom).
Maximum Residuals
35
30
25
20
15
10
5
0
Trojan PMs
60
50
40
30
20
10
0
Control PMs
Maximum Residuals
15
Maximum Residuals
Maximum Residuals
25
20
Figure 9. Maximum residuals for Trojan1, path2,
calibrated to IDENTITY, un-normalized (top), normalized
(bottom).
8
7
6
5
4
3
2
1
0
Trojan PMs
Control PMs
1st test sequence
AW
AA
AS
DC
NC
Trojan PMs
Control PMs
2nd test sequence
Trojan PMs
Control PMs
3rd test sequence
AW
AA
AS
DC
NC
Figure 10. Maximum residuals for Trojan2, all paths, normalized and calibrated to t22t.
Trojan-free control PMs produces outliers with a maximum residual of approximately two standard deviations. This indicates the
importance of accurately characterizing the Trojan-free process
space. The conclusions drawn for Trojan 2(a) concerning the signal calibration techniques hold true here as well. In particular, the
method applied without signal calibration for this Trojan produces
no outliers under any of the three test sequences.
7 Conclusions
A statistical approach is proposed for the detection of Trojans that is based on the analysis of regional transient power supply signals. Four different signal calibration techniques are
analyzed to determine their relative effectiveness on reducing the
adverse effects of process and test environment variations. Simulation experiments demonstrate that signal calibration is an essential component to enhancing Trojan resolution of the method. The
new AC methods proposed in this paper outperform previously
described DC methods and the simplest form of AC signal calibration, namely AC sampling, is equivalent in power to more
complex schemes. For AC sampling, the important components of
the impedance variations in the chip and test environment are captured in a single waveform sample under the condition that the
sample is collected close in time (couple of ns) to the delivery of
the calibration stimulus.
8 Acknowledgements
The work of Reza Rad and Jim Plusquellic was supported in
part by NSF grant CNS-0716559. The work of Mohammad
Tehranipoor was supported in part by NSF grant CNS-0716535.
References
[1] http://www.acq.osd.mil/dsb/reports/2005-02HPMS_Report_Final.pdf
[2] http://www.darpa.mil/mto/solicitations/baa07-24/index.html
[3] R. Rad, J. Plusquellic, M. Tehranipoor, “Sensitivity Analysis
to Hardware Trojans using Power Supply Transient Signals”, International Workshop on Hardware-Oriented Security and Trust, 2008, pp. 3-7.
[4] D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, B. Sunar,
“Trojan Detection using IC Fingerprinting”, Symposium on
Security and Privacy, 2007, pp. 296 - 310.
[5] F. Wolff, C. Papachristou, S. Bhunia, and R. Chakraborty,
“Towards Trojan-Free Trusted ICs: Problem Analysis and
Detection Scheme”, Design, Automation and Test in Europe, 2008, pp. 1362-1365.
[6] Jie Li and John Lach, “At-Speed Delay Characterization for IC
Authentication and Trojan Horse Detection”, International
Workshop on Hardware-Oriented Security and Trust, 2008,
pp. 8-14.
[7] M. Banga and M. S. Hsiao, “A Region Based Approach for the
Identification of Hardware Trojans”, International Workshop on Hardware-Oriented Security and Trust, 2008, pp.
40-47.
[8] R. S. Chakraborty, S. Paul and S. Bhunia, “On-Demand Transparency for Improving Hardware Trojan Detectability”, International Workshop on Hardware-Oriented Security and
Trust, 2008, pp. 48-50.
[9] Y. Jin and Y. Makris, “Hardware Trojan Detection Using Path
Delay Fingerprints”, International Workshop on Hardware-
Oriented Security and Trust, 2008, pp. 51-57.
[10] D. Acharyya and J. Plusquellic, “Hardware Results Demonstrating Defect Detection Using Power Supply Signal Measurements”, VLSI Test Symposium, 2005, pp. 433-438.
[11] J. Plusquellic, D. Acharyya, A. Singh, M. Tehranipoor and C.
Patel, “Quiescent Signal Analysis: a Multiple Supply Pad
IDDQ Method,” IEEE Design and Test of Computers, vol.
23, no. 4, pp. 278-293, 2006.
[12] X. Wang, M. Tehranipoor and J. Plusquellic, “Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions”, International Workshop on Hardware-Oriented
Security and Trust, 2008, pp. 15-19.
[13] http://www.fm.vslib.cz/~kes/asic/iscas/
[14] http://www.mosis.com/Technical/Testdata/tsmc-018prm.html
[15]D. Acharyya and J. Plusquellic, “Impedance Profile of Commercial Power Grid and Test System”, International Test Conference, 2003, pp. 709-718.
[16] A. Singh, C. Patel and J. Plusquellic, “Fault Simulation Model for iDDT Testing: An Investigation”, VLSI Test Symposium, 2004, pp. 304-310.
[17] M. Sachdev, P. Janssen, V. Zieren, “Defect Detection with
Transient Current Testing and its Potential for Deep Submicron CMOS ICs", International Test Conference, 1998,
pp. 204-213.